How to configure a WildFire Real-Time signature exception

• Palo Alto Networks
• WildFire is configured for Real-Time Dynamic Updates.

How to identify if a wildfire-virus threat detection happened because of WildFire Real-Time

1. The entry in the Threat Logs is of type wildfire-virus

2. When searching in Threat Vault for the UTID, the "Threat ID", and the "Current Release" under the Release column for "WildFire Signatures" will show as "n/a".

3. If you search in the PAN-OS CLI, you will find the UTID entry in the WildFire Real-Time MP and DP cache. Example:

MP Cache

> show wildfire-realtime-cache virus-pattern-type ALL | match <UTID>

Example:

> show wildfire-realtime-cache virus-pattern-type ALL | match 42496182
UTID: 42496182, NPatterns: 1, PatternPos: 0, Disabled: No

DP Cache

> debug dataplane show ctd wf-cache virus-pattern-type ALL | match <UTID>

Example:

> debug dataplane show ctd wf-cache virus-pattern-type ALL | match 42496182
UTID: 42496182, NPatterns: 1, PatternPos: 0, Disabled: No

How to add a threat exception for WildFire Real-Time signatures

To add a threat exception, simply add the UTID to the Exceptions section in the AntiVirus profile and Commit. See the Create Threat Exceptions documentation for instructions.

If a Commit cannot be pushed due to restrictions, the signature can be temporarily excepted on the fly via the PAN-OS CLI. Please note that this exception is not persistent through a reboot and is therefore only meant to be a stop-gap solution.

Add temporary exception:

1. First search for the entry using the commands described in Step 3
2. Then "delete" the entry from the cache, effectively placing the temporary exception. To do it, issue command:

> request wildfire-realtime-cache delete virus-pattern-type PE UTID <UTID> virus-pattern <PATTERN>

Example:

> request wildfire-realtime-cache delete virus-pattern-type PE UTID 42496182 virus-pattern 0001000d0000000000000000000200021404004c00000006

Successfully deleted virus from WildFire real-time cache

3. To verify that the temporary exception is active, use the commands described in Step 3. The signature will be listed as "Disabled: Yes". Example:

MP Cache

> show wildfire-realtime-cache virus-pattern-type ALL | match <UTID>

Example:

> show wildfire-realtime-cache virus-pattern-type ALL | match 42496182
UTID: 42496182, NPatterns: 1, PatternPos: 0, Disabled: Yes

DP Cache

> debug dataplane show ctd wf-cache virus-pattern-type ALL | match <UTID>

Example:

> debug dataplane show ctd wf-cache virus-pattern-type ALL | match 42496182
UTID: 42496182, NPatterns: 1, PatternPos: 0, Disabled: Yes

4. To re "add" the signature, or otherwise "remove" the temporary exception, issue command:

> request wildfire-realtime-cache add virus-pattern-type PE UTID <UTID> virus-pattern <PATTERN>

Example:

> request wildfire-realtime-cache add virus-pattern-type PE UTID 42496182 virus-pattern 0001000d0000000000000000000200021404004c00000006

Successfully added virus to WildFire real-time cache

There is an issue where disabled WildFire signatures may remain stuck in the WildFire DP cache. Ref. PAN-182689
The issue happens for firewalls running PAN-OS versions older than 10.1.10 or 10.2.3 where the WildFire Real-Time feature is not enabled in the WildFire-Virus Dynamic Update package configuration.

To resolve the issue, enable WildFire-Virus Dynamic Update schedule to Real-Time or upgrade to PAN-OS versions to 10.2.3, 10.1.10 or newer.

Another workaround is to eliminate all entries from the WildFire DP Cache. We can specify the virus-pattern-type (PE if the signature is of type PE) or ALL to reset the whole WildFire DP Cache.

> debug dataplane reset ctd wf-cache virus-pattern-type PE
or
> debug dataplane reset ctd wf-cache virus-pattern-type ALL

Note this will remove entries from the WildFire DP Cache in bulk.There is no command available to specify the deletion of a single UTID from the WildFire DP Cache.

For more information on this issue please see:
Why are disabled signatures (WildFire-Virus) getting triggered in PAN-OS 10.0 and above?